On Tue, Aug 26, 2014 at 05:17:08PM +0300, Nerijus Kislauskas wrote:
> I'm doing an installation of our university main mail gateway. Assume,
> that with one postfix instance I want to receive mail mx-1.domain.tld
> (inbound policy)
The MX hostname is irrelevant, some machine name or other will
appear in your MX records.
> and provide mail services to our employees with
> smtp.domain.tld (outbound policy).
This submission hostname will appear in the mail client settings
of the users. Use port 587 with TLS for submission.
> My postfix instance should listen on mx-1.domain.tld:25.
That's the MX host service.
> There I will put postscreen in front. For outbound
> mail the same instance should listen on smtp.domain.tld:{25,465.587}.
For a new installation, DO NOT implement port 25 submission. Make
it only 587 and only if unavoidable 465.
> Can I get rid of configuring master.cf?
No, because the stock master.cf has the port 587 (and 465) submission
services commented out.
> If it is possible, how? If not,
> what is better: put mx or smtp listeners in master.cf?
All SMTP listener end-points go into master.cf. The postscreen
for port 25, and the submission services, plus the "smtpd pass"
service for postscreen handoff.
You can do this with a single Postfix instance, or a separate
submission instance (probably better in the long run, maybe
even on a separate machine or VM).
> In production there will be 3 postfix instances with 2 domains being
> served as mx and smtp, 1 for system itself, over 16 IP adresses (both v4
> and v6) and a cluster on top of that. I need as much simple
> configuration as it could be.
Simple is in the eye of the beholder. Read:
http://www.postfix.org/MULTI_INSTANCE_README.html
Do you prefer multiple single-purpose individually simpler
configurations, or a monolithic configuration that is more complex
internally, but centralizes all the logic? Your call.
As the author of MULTI_INSTANCE_README, I can't give an impartial
opinion.
If you have sufficiently complex requirements for submission
(different content filtering, different rewriting logic, ...)
you're better off with a separate instance most likely.
If your submission processing sufficiently closely resembles
your inbound processing, a single instance may suffice.
--
Viktor.
